Instructions tested and working (with vpn-specific required modifications to openvpn.conf): https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN#Setup_Tor_before_a_VPN_.28User_-.3E_Tor_-.3E_VPN_-.3E_Internet.29
Fail-closed tests with:
WORKSTATION_FIREWALL=1
TUNNEL_FIREWALL_ENABLE=true
| TransPort | TUNNEL_FIREWALL_ALLOW_LOCAL_NET |
| traffic | true | false |
|___________|________________|________________|
| | | |
| VPN Up | allowed | allowed |
| | | |
| VPN Down | blocked | blocked |
|___________|________________|________________|
| SocksPort | TUNNEL_FIREWALL_ALLOW_LOCAL_NET |
| traffic | true | false |
|___________|________________|________________|
| | | |
| VPN Up | allowed | blocked |
| | | |
| VPN Down | allowed | blocked |
|___________|________________|________________|
Working as expected (by me anyway).
Notes:
-
Not sure why VPN_FIREWALL= is still in conf file. Would like confirmation that it is obsolete and replaced by TUNNEL_FIREWALL_ENABLE?
-
With all the changes to root filesystem, really need bind-directories functionality for this (in Qubes). (as noted in wiki) (Not interested in standalone vmâs)
-
As a temporary workaround, would like to keep openvpn files in ~/openvpn/ and launch manually (not use systemd).
With my limited linux knowledge, canât figure out why:su tunnel
sudo openvpn openvpn.confROUTE_GATEWAY 10.137.2.1
TUN/TAP device tun0 opened
works but
sudo -u tunnel openvpn openvpn.conf
=
ROUTE_GATEWAY 10.137.2.1
ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Exiting due to fatal error
fails to create tun device.